Authorization server token endpoint. Must be HTTPS unless it points at
localhost / 127.0.0.1 (dev/test carve-out). The exchange helper
rejects non-HTTPS URLs at runtime to keep the client secret off the
wire in plaintext.
OAuth client ID. May be a $ENV:VAR reference.
OAuth client secret. May be a $ENV:VAR reference.
OptionalscopeRequested OAuth scope (space-delimited for multiple).
OptionalresourceRFC 8707 resource indicator(s). Advertises the protected resource the
issued token will be used against, so the AS can mint an
audience-bound token. Required by some AS deployments (Keycloak in
strict mode, AWS Cognito with resource servers) when the agent is
behind a proxy that validates aud. Accepts a single URI or an array
— the library sends one resource form field per entry.
OptionalaudienceAudience parameter. Non-standard in RFC 6749 but widely supported by
Auth0, Okta, and Azure AD as the preferred way to request an
audience-bound token. Send this when the AS documentation calls for
audience=; otherwise prefer resource (RFC 8707).
Optionalauth_Where to put client credentials on the token request.
basic (default): HTTP Basic Auth header (RFC 6749 §2.3.1 preferred).body: client_id / client_secret form fields in the body.RFC 6749 says servers MUST support Basic and MAY support body — a few popular providers only accept body, so this toggle exists.
OAuth 2.0 client credentials grant configuration (RFC 6749 §4.4).
For machine-to-machine authentication where no user is present — the library exchanges the client ID + secret directly with the authorization server. Tokens are cached in
AgentConfig.oauth_tokensand re-exchanged byensureClientCredentialsTokenswhen they near expiry.Secret values (
client_id,client_secret) may be either literal strings or env-var references in the form$ENV:VAR_NAME. References are resolved at token-exchange time byresolveSecret, so secrets never need to land on disk for CI use cases.Example: Literal secret (local dev)
Example: Env-var reference (CI — no on-disk secret)